April 8, 2003
Mr. James Sylph
Technical Director
International Auditing and Assurance Standards Board
535 Fifth Avenue, 26th Floor
New York, NY10017
Re:Proposed International Standards on Audit Risk
Dear Mr. Sylph:
IOSCO’s Standing Committee No. 1 (“SC1”) appreciates the opportunity to comment on the audit risk exposure drafts (Amendment to ISA 200, “Objective and Principles Governing an Audit of Financial Statements;” proposed ISAs, “Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement;” “Auditor’s Procedures in Response to Assessed Risks;” and “Audit Evidence”). SC1 also appreciates the time taken by a member of the Board earlier in the year to meet with members of its Auditing Subcommittee for a preliminary discussion of the exposure drafts.
IOSCO is committed to promoting the integrity of international markets through promotion of high quality accounting and auditing standards, including rigorous application and enforcement. The comments we have provided herein reflect a general consensus among the members of Standing Committee No. 1 and are not intended to include all the comments that might be provided by individual members on behalf of their respective jurisdictions in the future.
We support and commend the IAASB’s efforts to update and improve International Standards on Audit. We recognize that the IASB is making progress in making international auditing standards more rigorous and useful in today’s financial reporting environment. This work is appreciated and we look for it to continue.
Many of the changes in the proposed standards addressed in this letter do represent improvements to the current guidance. However, we continue to be concerned that the exposure drafts still make an inadequate distinction between procedures that are always required in a high quality audit, and procedures that may or may not be appropriate, and background information. We refer you to the comment letter issued by SC1 on February 5, 2003, regarding the Exposure Draft on “Terms of Reference, Preface to the International Standards on Quality Control, Auditing, Assurance and Related Services and Operations Policy No. 1 – Bold Type Lettering”. All of the concerns expressed in that letter also apply to these exposure drafts. IOSCO SC1 believes that these concerns need to be addressed urgently.
In the present case, there is a lack of precision in the language used in the proposed standards and in some cases a lack of clarity as to what auditors are expected to do. This lack of clarity will inevitably lead to inconsistent application in practice. Readers of auditing standards must be able to clearly ascertain what procedures are mandatory in all audits, and what procedures are explanatory or only applicable in certain specific cases.
SC 1 has a number of specific concerns relating to the subjects addressed in these exposure drafts. In particular, we note the importance of the auditor having a full and up-to-date understanding of the audited entity, it’s environment and its internal control system to be effective in assessing risk and planning and performing the audit.
Obtaining an adequate understanding of an entity’s internal controls is fundamental to any audit, regardless of the entity’s size. While we recognize that each audit is unique and that audits of large companies may be more complex and time consuming than those in small entities, we believe that the general approach and principles for assessing and responding to risk should be the same. Therefore statements that suggest more limited audit procedures or less stringent governance requirements for small entities are not acceptable, unless it is clarified that these statements are referring to non-public small entities.
We also have a concern that some of the content in the ED could be misinterpreted to mean that auditors may default to testing the operating effectiveness of internal controls only every third year. While we believe the ED only intends such an option when (1) the particular control involved does not mitigate a significant risk and (2) when the control has not been altered since the prior year, we think the presentation in the ED is unclear and needs significant improvement. At a minimum, paragraph 40 should be moved to precede the existing paragraph 36 and paragraphs 36 and 38 paragraphs should be clarified. We have the same general concern that the IAASB must take care to avoid language that could inadvertently encourage inappropriate shortcuts in audits, at a time when rigorous audits are needed more than ever to restore investor confidence.
We have made a number of detailed comments in the attachments to this letter. The comments in Attachment A relate to the request for comments on specific issues in Appendix 3 of the Explanatory Memorandum to the Audit Risk Exposure Drafts. Attachment B includes other issues, which were noted by SC1 in our review of the documents.
If you have any questions or need additional information on the recommendations and comments that we have provided, please do not hesitate to contact Janet Luallen, Susan Koski-Grafer, Scott Taub or me at (202) 942-4400.
Sincerely,
Jackson Day
Chair
IOSCO Standing Committee No. 1Attachment A
1. General
[Source: Appendix 3, Commentators Guide to Issues, from Explanatory Memorandum to Audit Risk Exposure Drafts]
[ISAs are drafted to contain basic principles and essential procedures together with related guidance that apply to the audits of financial statements of any entity, irrespective of its size. However, the IAASB recognizes that the audit of small entities may give rise to certain special audit considerations. Are there such special audit considerations in applying the standard and guidance contained in proposed ISA XX, Understanding the Entity and Its Environment and Assessing the Risk of Material Misstatement,” and propose ISA XX, “ The Auditor’s Procedures in Response to Assessed Risks”? If so, include details of such consideration.]
The standards and guidance are equally applicable to all entities regardless of size. We believe that in assessing and responding to risk, the general approach and principles should be the same. In particular, we have not identified any special audit considerations for smaller listed companies and believe that the procedures should be the same.
2. Understanding the Entity and its Environment and Assessing the Risks of Material Mistatement
[Paragraphs 50 through 94 deal with internal control including the requirement to obtain an understanding of the components of internal control and guidance on obtaining the understanding. Appendix 2 contains further guidance to assist the auditor in understanding the components of internal control, including their application to small entities.
Is this additional guidance helpful, or is there sufficient material within the ISA itself? In considering this question, commentators should assume that the paragraphs relating to small entities will be retained whether in the Appendix or elsewhere.]
SC 1 believes the guidance in Appendix 2 in the exposure draft is useful and should be retained and that the appendices are an integral part of an ISA
3. The Auditor’s Procedures in Response to Assessed Risks
[Where the auditor plans to rely on controls that have not changed since they were last tested, paragraph 38 requires the auditor to test the operating effectiveness of such controls at least every third audit. The IAASB discussed whether it was appropriate to impose such a limit on the ability of the auditor to use audit evidence obtained in a prior audit. The alternative view is that the period for such reliance should be left to the auditor’s judgment.
Is it appropriate for the ISA to specify a time period, and if so, is every third audit an appropriate limit? If not, please indicate what time period, if any, is considered more appropriate.]
SC 1 believes that periodic testing[1] is reasonable as a general requirement for testing the operating effectiveness of controls that have not changed since they were last tested provided that:
the auditor does not plan to rely on the operating effectiveness of controls intended to mitigate a significant risk, and
the procedures in Paragraph 36, which deal with obtaining evidence about whether changes in specific controls have occurred subsequent to the prior audit, are carefully followed and documented by the auditor.
The factors in Paragraph 36 relating to control effectiveness should stress checking for changes in design if controls are unchanged and also consideration of changes in the business that could affect the operating effectiveness of the control system even though the design is unchanged.
Paragraph 40 should be moved to precede paragraph 36 to clarify the point that Paragraph 36 should only be applied if the assessed risk of material misstatement at the assertion level is not significant.
The beginning of Paragraph 36 should clearly state that it only applies if the controls on which the auditor plans to use audit evidence on operating effectiveness from prior audits does not involve a significant risk assessed at the assertion level.
Paragraph 36 should also stress checking for changes in design if controls are unchanged and consideration of changes in the business that could affect the operating effectiveness of the system even though the design is unchanged.
Documentation of the procedures performed and the considerations carried out in accordance with Paragraphs 36 and 38 should be required.
The IAASB should carefully word paragraph 38 so that the auditors do not automatically default to testing the operating effectiveness of controls on a minimum basis of “at least every third audit.”
The following lead-in to the third sentence in Paragraph 38 “However, the auditor is required to retest a control being relied on at least every third audit, because” should be deleted because the remainder of the sentence is true in all cases, even for shorter intervals, and not just for every three years. In addition, Paragraph 38 should include a reference to Paragraph 36, regarding the fact that there are no changes in the controls.
The IAASB should recognize that in some jurisdictions there might be different periodic testing requirements for listed versus unlisted companies.
4.Documentation
[Proposed ISAs XX, “Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatements,” and ISA XX, “The Auditor’s Procedures in Response to Assessed Risks,” include detailed documentation requirements. The IAASB considers that documentation requirements are important as a means of ensuring that auditors comply with significant requirements of the standards. The requirements are more extensive than previously. Do commentators agree that it is appropriate for the IAASB to establish detailed documentation requirements? Are the proposals practical? If not, what suggestions do you have for documentation that achieves the objective of improving compliance with standards.]
SC 1 agrees with the documentation requirements that have been included. Without these requirements there cannot be a determination of whether the auditor has complied with the standards. Documentation should be sufficient to understand the procedures performed, by whom they were performed, the evidence obtained, and should show that the accounting records agree with the financial statements. Audit documentation of tests of operating effectiveness of controls that involve inspection of documents or confirmations should include an identification of the items tested. The identification of the items tested may be accomplished by indicating the source from which the items were selected and the selection criteria. We also believe that the additional documentation recommended in this letter should be included in the standards.
In its comments on ISA 230, Documentation, SC 1 supported a hybrid approach with ISA 230 limited to coverage of the general principles governing documentation. Other ISAs addressing specific aspects of an audit should provide, where relevant, guidance on the implementation or application of the general documentation principles in the context of the particular issue. The specific documentation guidance currently in the exposure drafts is appropriate. However, Paragraph 65 (The Auditor’s Procedures in Response to Assessed Risks) and Paragraph 117 (Understanding the Entity and Its Environment) should refer to ISA 230 in order to reinforce the fact that the detailed documentation requirements in individual ISAs should be considered in the context of the general requirement that procedures be documented. Since ISA 230 covers documentation requirements as a principle, Paragraphs 65 and 117 could make the principle established by ISA 230 less effective on other aspects of the audit process if it is not clear that they supplement the general requirement in ISA 230.
SC 1 believes the list in Paragraph 117 of “Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatements should include the communications discussed in Paragraph 115 regarding the material weaknesses in the design or implementation of internal control that have come to the auditor’s attention.
In addition to the requirement that the auditor document the controls evaluated as a result of the requirements in paragraphs 104 and 110, Paragraph 117 (c) of “Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatements” should be revised to state that the auditor should be required to document the risks identified as a result of the requirements in paragraphs 104 and 110.
In Paragraphs 36 and 38 of the proposed standard “The Auditor’s Procedures in Response to Assessed Risks” guidance should be provided describing the required documentation of the procedures performed and the considerations undertaken by the auditor.
Attachment B
SC 1 noted the following additional comments that we believe should be addressed in the proposed standards:
1. Amendment to ISA 200, Objective and Principles Governing an Audit of Financial Statements
- Paragraph 14 refers to audit risk being reduced to an acceptably low level. It is not clear what the context or frame of reference would be for what is acceptable. This could be clarified by amending Paragraph 14 as follows:
“The auditor should plan and perform the audit to reduce audit risk to an acceptably low level that is consistent with the objective of an audit.”
- Paragraph 16 should be revised as follows to address the cumulative impact of individually immaterial misstatements at the assertion level:
“The auditor is concerned only with material misstatements, and is not responsible for the detection of misstatement that are not material to the financial statements taken as a whole. However, the auditor considers the aggregate impact of individual misstatements identified during the audit process. Materiality and audit risk are related…. The auditor should considers risk and materiality at two levels: at the overall financial statement level and in relation to the individual classes of transactions, account balances, and disclosures and the related assertions.”
2. Proposed ISA, “Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement”
- We believe that there are a number of places in the standard where the language is not precise and should be revised. For example:
Paragraph 9 states that making inquiries of others within the entity “…may be useful…”. This is inconsistent with the requirement for such inquiries in Paragraph 8. It should be reworded to state “The auditor inquires of others within the entity to provide the auditor with a perspective different from that of management and those responsible for financial reporting.”
- Paragraph 19 states that “…Based on these discussions, members of the audit team may gain a better understanding… and how the results of the audit procedures that they perform may affect other aspects of the audit…” Presumably the required outcome is that the audit team will gain a better understanding of how each team member’s work impacts on other aspects of the audit. This paragraph could be restated more positively as follows:
“The objective of the discussion is to ensure that members of the audit team gain a better understanding of the potential for misstatement of the financial statements resulting from fraud or error in the specific areas of the audit assigned to them, and how the audit procedures that they perform are integrated into the audit process and how the results of these procedures affect other aspects of the audit, including decisions about the nature, timing and extent of audit procedures.
- Paragraph 53 which says, “Obtaining an understanding of internal control involves evaluating the design of a control and determining whether it has been implemented” should be more directive. It should be revised to state that:
“To obtain an understanding of internal control, the auditor should evaluate the design of a control and determine whether it has been implemented.”
In addition, the fourth sentence in the paragraph identifies a number of steps that “may” be used to obtain audit evidence about the design and implementation. While not all of the steps noted would be applicable in every situation, the guidance should be stronger to establish the presumption that the steps apply in most situations. Therefore, instead of saying, “may involve” the sentence should say “ordinarily involve”.
- SC 1 believes that it is imperative that Paragraph 54 be revised as follows:
“Obtaining an understanding of an entity’s controls is not likely to be sufficient to serve as testing the operating effectiveness of controls.”
- The words “may be” in the first and last lines of Paragraph 58 should be replaced with “are” because in both cases they are relevant to the audit.
- Paragraph 60, which addresses the safeguarding of assets, should be clarified to say that it is just an example of the general point made earlier that the controls to be considered by the auditor are generally those relevant to the reliability of financial reporting.
- Paragraph 96 should include a reference to Paragraph 22 in the proposed ISA, “The Auditor’s Procedures in Response to Assessed Risks” which discusses the tests of controls required to obtain audit evidence that controls are operating effectively.
3. Proposed ISA, “The Auditor’s Procedures in Response to Assessed Risks”
- The proposed ISA should provide more detail and discussion regarding staff assignment as an output of the risk assessment process. Paragraph 5 makes one brief reference to assigning more experienced staff, or staff with special skills, which implies that the audit team will have been selected prior to the audit risk assessment being carried out. This discussion of staff assignment should be more prominent and should make it clear that the risk assessment process should have a direct impact on the composition of the audit team.
- We noted that Paragraph 30 appears to provide a different concept on dual-purpose testing from the concept provided in the comparable U.S. exposure draft. We were unclear as to whether the differences noted are ones of substance or simply reflect different understandings of the terminology used. In addition we believe that caution needs to be exercised and we would be concerned about any promotion of the extensive use of dual purpose testing.
- The last sentence in Paragraph 45 should be revised as follows because we do not believe that analytical procedures alone will provide sufficient evidence of matters of significant risk:
“For significant risks, it is not likely that audit evidence obtained from substantive analytical procedures alone will not be sufficient.”